Category: Passwords

Some crypto challenges: Author writeup from BSidesSF CTF

Hey everybody,

This is yet another author’s writeup for BSidesSF CTF challenges! This one will focus on three crypto challenges I wrote: mainframe, mixer, and decrypto!

Continue reading

Call for help: researching the recent gmail password leak

Hey folks,

You probably heard this week about 5 million accounts posted. I’ve been researching it independently, and was hoping for some community help (this is completely unrelated to the fact that I work at Google - I just like passwords).

I’m reasonably sure that the released list is an amalgamation of a bunch of other lists and breaches. But I don’t know what ones - that’s what I’m trying to find out!

Which brings me to how you can help: people who can recognize which site their password came from. I’m trying to build a list of which breaches were aggregated to create this list, in the hopes that I can find breaches that were previously unreported!

If you want to help:

      1. Check your email address on
      2. If you're in the list, email from the associated account
      3. I'll tell you the password that was associated with that account
      4. And, most importantly, you tell me which site you used that password on!

In a couple days/weeks (depending on how many responses I get), I’ll release the list of providers!

Thanks! And, as a special ‘thank you’ to all of you, here are the aggregated passwords from the breach! And no, I’m not going to release (or keep) the email list. :)

Continue reading authentication misconceptions

Hey everybody,

There have been a lot of discussion and misconceptions about’s authentication lately. Having done a lot of work on the protocol, I wanted to lay some to rest.

The first thing to understand is that, at least at the time I was working on this, there were three different login methods (this is before they combined the Web logins with logins - I can’t speak on those). The three methods are:

  1. CHAT protocol - deprecated a long, long time ago
  2. Old Login System (OLS) - used by Diablo, Warcraft 2 BNE, Starcraft, and Diablo II
  3. New Login System (NLS) - used by Warcraft 3, World of Warcraft, and in some fashion by newer games. Also supported - but unused - by Diablo II

I’ll describe, in detail, how each of these work. The summary is, though, that at no point does a game client ever send a plaintext password to the server. The closest is the SHA1 of the password, which is used for account creation in old games. For more information, read on!

Continue reading

(Mostly) good password resets

Hey everybody!

This is part 3 to my 2-part series on password reset attacks (Part 1 / Part 2). Overall, I got awesome feedback on the first two parts, but I got the same question over and over: what’s the RIGHT way to do this?

So, here’s the thing. I like to break stuff, but I generally leave the fixing to somebody else. It’s just safer that way, since I’m not really a developer or anything like that. Instead, I’m going to continue the trend of looking at others’ implementations by looking at three major opensource projects - Wordpress, SMF, and MediaWiki. Then, since all of these rely on PHP’s random number implementation to some extent, I’ll take a brief look at PHP.

Continue reading

Hacking crappy password resets (part 2)


In my last post, I showed how we could guess the output of a password-reset function with a million states. While doing research for that, I stumbled across some software that had a mere 16,000 states. I will show how to fully compromise this software package remotely using the password reset.

Continue reading

Hacking crappy password resets (part 1)

Greetings, all!

This is part one of a two-part blog on password resets. For anybody who saw my talk (or watched the video) from Winnipeg Code Camp, some of this will be old news (but hopefully still interesting!)

For this first part, I’m going to take a closer look at some very common (and very flawed) code that I’ve seen in on a major “snippit” site and contained in at least 5-6 different applications (out of 20 or so that I reviewed). The second blog will focus on a single application that does something much worse.

Continue reading

Ethics of password cracking/dissemination

It’s rare these days for me to write blogs that I have to put a lot of thought into. Most of my writing is technical, which comes pretty naturally, but I haven’t written an argument since I minored in philosophy. So, if my old Ethics or Philosophy profs are reading this, I’m sorry!

Continue reading

Followup to my Facebook research

Hey all,

Some of you may have heard what I did this month. It turns out, depending on who you listen to, that I’m either an evil “Facebook hacker” or just some mischievous individual doing “unsettling” research. But, one way or the other, a huge number of people have read or heard this story, and that’s pretty cool.

Although it’s awesome (and humbling) that so much attention was paid (at least for a couple days) to some fairly straight forward work I did, I want to talk about this from my perspective, including why I did it and what I think this means to the community. Then, for fun, I’ll end by talking about other places this research can go and open up the floor for some discussion.

Continue reading

Return of the Facebook Snatchers

First and foremost: if you want to cut to the chase, just download the torrent. If you want the full story, please read on….


Way back when I worked at Symantec, my friend Nick wrote a blog that caused a little bit of trouble for us: Attack of the Facebook Snatchers. I was blog editor at the time, and I went through the usual sign off process and, eventually, published it. Facebook was none too happy, but we fought for it and, in the end, we got to leave the blog up in its original form.

Why do I bring this up? Well last week @FSLabsAdvisor wrote an interesting Tweet: it turns out, by heading to, you can get a list of every searchable user on all of Facebook!

My first idea was simple: spider the lists, generate first-initial-last-name (and similar) lists, then hand them over to @Ithilgore to use in Nmap’s awesome new bruteforce tool he’s working on, Ncrack.

Continue reading

robots.txt: important if you’re hosting passwords

This is going to be a fun post that’s related to some of my password work. Some of the text may not be PG13, so parental discretion is advised.

As most of you know, I’ve been collecting password lists. In addition to normal password lists that are useful in bruteforcing, I have a (so far) lame collection of non-hacking dictionaries. Things like cities, English words, etc.

There was a time when the biggest dictionary I had, weighing in at 6.4mb, was a German wordlist. 6.4mb doesn’t sound like much, but at the time I was on a DSL connection; with about 400kbit upstream (on a good day), I could feel every download.

Continue reading

The ultimate faceoff between password lists

Yes, I’m still working on making the ultimate password list. And I don’t mean the 16gb one I made by taking pretty much every word or word-looking string on the Internet when I was a kid; that was called ultimater dictionary. No; I mean one that is streamlined, sorted, and will make Nmap the bruteforce tool of the future!

Continue reading

Hard evidence that people suck at passwords

Hey everybody!

As you probably know, I’ve been working hard on generating and evaluating passwords. My last post was all about’s passwords; next post will (probably) be about different groups of passwords from my just updated password dictionaries page. This will be a little different, though.

Continue reading